feat: user 1000 in worker

.github/workflows/alpha-release.yml

@@ -54,7 +54,7 @@ jobs:
             SENTRY_AUTH_TOKEN=${{ secrets.SENTRY_AUTH_TOKEN }}
             TIPI_VERSION=${{ needs.create-tag.outputs.tagname }}
           file: ./packages/worker/Dockerfile
-          platforms: linux/amd64
+          platforms: linux/amd64,linux/arm64
           push: true
           tags: ghcr.io/${{ github.repository_owner }}/worker:${{ needs.create-tag.outputs.tagname }}
           cache-from: type=registry,ref=ghcr.io/${{ github.repository_owner }}/worker:buildcache
@@ -87,7 +87,7 @@ jobs:
           build-args: |
             SENTRY_AUTH_TOKEN=${{ secrets.SENTRY_AUTH_TOKEN }}
             TIPI_VERSION=${{ needs.create-tag.outputs.tagname }}
-          platforms: linux/amd64
+          platforms: linux/amd64,linux/arm64
           push: true
           tags: ghcr.io/${{ github.repository_owner }}/runtipi:${{ needs.create-tag.outputs.tagname }}
           cache-from: type=registry,ref=ghcr.io/${{ github.repository_owner }}/runtipi:buildcache
@@ -154,6 +154,7 @@ jobs:
       - name: Rename CLI
         run: |
           mv cli/bin/cli-x64 ./runtipi-cli-linux-x64
+          mv cli/bin/cli-arm64 ./runtipi-cli-linux-arm64
 
       - name: Create alpha release
         id: create_release
@@ -169,3 +170,4 @@ jobs:
           prerelease: true
           files: |
             runtipi-cli-linux-x64
+            runtipi-cli-linux-arm64

Dockerfile

@@ -47,15 +47,15 @@ FROM node_base AS app
 
 ENV NODE_ENV production
 
-USER node
+USER 1000:1000
 
 WORKDIR /app
 
 COPY --from=builder /app/next.config.mjs ./
 COPY --from=builder /app/public ./public
 COPY --from=builder /app/package.json ./package.json
-COPY --from=builder --chown=node:node /app/.next/standalone ./
-COPY --from=builder --chown=node:node /app/.next/static ./.next/static
+COPY --from=builder --chown=1000:1000 /app/.next/standalone ./
+COPY --from=builder --chown=1000:1000 /app/.next/static ./.next/static
 
 EXPOSE 3000
 

Dockerfile.dev

@@ -25,4 +25,6 @@ COPY ./sentry.client.config.ts ./sentry.client.config.ts
 COPY ./sentry.edge.config.ts ./sentry.edge.config.ts
 COPY ./sentry.server.config.ts ./sentry.server.config.ts
 
+USER 1000:1000
+
 CMD ["npm", "run", "dev"]

package.json

@@ -1,6 +1,6 @@
 {
   "name": "runtipi",
-  "version": "2.5.0",
+  "version": "2.5.1",
   "description": "A homeserver for everyone",
   "scripts": {
     "clean-containers": "docker rm -f $(docker ps -a -q)",

packages/worker/Dockerfile

@@ -64,13 +64,15 @@ RUN pnpm -r build --filter @runtipi/worker
 # ---- RUNNER ----
 FROM runner_base AS app
 
+USER 1000:1000
+
 WORKDIR /app
 
 ENV NODE_ENV=production
 
-COPY --from=builder /app/packages/worker/dist .
-COPY --from=builder /app/packages/worker/assets ./assets
-COPY --from=builder /app/docker-binary /usr/local/bin/docker-compose
+COPY --from=builder --chown=1000:1000 /app/packages/worker/dist .
+COPY --from=builder --chown=1000:1000 /app/packages/worker/assets ./assets
+COPY --from=builder --chown=1000:1000 /app/docker-binary /usr/local/bin/docker-compose
 
 CMD ["node", "index.js", "start"]
 

packages/worker/Dockerfile.dev

@@ -4,6 +4,7 @@ ARG DOCKER_COMPOSE_VERSION="v2.23.3"
 
 FROM node:${NODE_VERSION}-alpine${ALPINE_VERSION} AS node_base
 
+
 # Install docker
 RUN apk upgrade --update-cache --available && \
   apk add openssl git docker docker-cli-compose curl && \
@@ -39,5 +40,7 @@ COPY ./packages ./packages
 
 RUN pnpm install -r --prefer-offline 
 
+USER 1000:1000
+
 CMD ["pnpm", "--filter", "@runtipi/worker", "-r", "dev"]
 

packages/worker/src/index.ts

@@ -8,7 +8,7 @@ import { Queue } from 'bullmq';
 import * as Sentry from '@sentry/node';
 import { cleanseErrorData } from '@runtipi/shared/src/helpers/error-helpers';
 import { ExtraErrorData } from '@sentry/integrations';
-import { copySystemFiles, ensureFilePermissions, generateSystemEnvFile, generateTlsCertificates } from '@/lib/system';
+import { copySystemFiles, generateSystemEnvFile, generateTlsCertificates } from '@/lib/system';
 import { runPostgresMigrations } from '@/lib/migrations';
 import { startWorker } from './watcher/watcher';
 import { logger } from '@/lib/logger';
@@ -59,9 +59,6 @@ const main = async () => {
     logger.info('Generating TLS certificates...');
     await generateTlsCertificates({ domain: envMap.get('LOCAL_DOMAIN') });
 
-    logger.info('Ensuring file permissions...');
-    await ensureFilePermissions();
-
     SocketManager.init();
 
     const repoExecutors = new RepoExecutors();

packages/worker/src/lib/system/system.helpers.ts

@@ -269,27 +269,3 @@ export const generateTlsCertificates = async (data: { domain?: string }) => {
     logger.error(error);
   }
 };
-
-export const ensureFilePermissions = async () => {
-  const directories = [path.join(ROOT_FOLDER, 'state'), path.join(ROOT_FOLDER, 'traefik'), path.join(ROOT_FOLDER, 'media'), path.join(ROOT_FOLDER, 'apps'), path.join(ROOT_FOLDER, 'logs')];
-  const files777 = [path.join(ROOT_FOLDER, 'VERSION')];
-  const files600 = [path.join(ROOT_FOLDER, 'traefik', 'shared', 'acme.json')];
-
-  for (const directory of directories) {
-    if (await pathExists(directory)) {
-      await execAsync(`find ${directory} -type d -exec chmod a+rwx {} +`).catch(() => {});
-    }
-  }
-
-  for (const file of files777) {
-    if (await pathExists(file)) {
-      await execAsync(`chmod 777 ${file}`).catch(() => {});
-    }
-  }
-
-  for (const file of files600) {
-    if (await pathExists(file)) {
-      await execAsync(`chmod 600 ${file}`).catch(() => {});
-    }
-  }
-};

packages/worker/src/services/system/system.executors.ts

@@ -70,7 +70,6 @@ export class SystemExecutors {
 
       if (now - this.cacheTime > this.cacheTimeout) {
         await fs.promises.writeFile(path.join(ROOT_FOLDER, 'state', 'system-info.json'), JSON.stringify(systemLoad, null, 2));
-        await fs.promises.chmod(path.join(ROOT_FOLDER, 'state', 'system-info.json'), 0o777);
         this.cacheTime = Date.now();
       }